Analysis Overview
SHA256
22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f
Threat Level: Shows suspicious behavior
The file 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:30
Reported
2024-11-09 20:33
Platform
win7-20240903-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\SysDrv9S\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9S\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax48\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv9S\devdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe
"C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\SysDrv9S\devdobec.exe
C:\SysDrv9S\devdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 5e46fa8e685dab487116a70651d17f4f |
| SHA1 | 3f2ecfa7bf7ebaf4cc679b6239502b09eed474ed |
| SHA256 | cb59ea181ea1fd87f7edd6744a2f2a3074ed3ba313d276f4e15a124dc93604c1 |
| SHA512 | 5c95d243543d0ede23dc6414f1eced3440b711275324ac093460f82670763d0843bc75cba7469c22955f6bbd6252ac24c7295c36b24fc1960298b6a1bcbf9f1a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 908f256cc0adf8104fe5b78e721d0258 |
| SHA1 | cda7a39ddcc166fd721d5a490ad718af4e672ec7 |
| SHA256 | 887e6c0e0a77fc57a0f0cdb4f226e9c4a2ff6ed4be56a0790f1bb8aeaa9d4c9b |
| SHA512 | 2affceccf1b0b03c832f0eff7946dddcdd7ce074b2bf6d670351407e6475b44f3c20fd1c59ca73f54167e4b828b047ee379077514682b3bdf117f8a1ec0c0d6f |
C:\SysDrv9S\devdobec.exe
| MD5 | f04667c7c1a199613e1c669d9aa1f955 |
| SHA1 | e908244991e1cd2ea933ac68d2c933ea067aff71 |
| SHA256 | 329f53d04d871137cf0404f43f52c7fc4de9a96c08ca006506bf622bc6803e1d |
| SHA512 | d0f513eeb37fcf8055d12eb068be0c45c4ade949d11d6b6e9ec7ffb33cc25729e65d8a9b08f63d9b12b3a76aa4e56b2d8fb29360e21d57974dfdc67a0ff54521 |
C:\Galax48\optixloc.exe
| MD5 | 40c5bbb60e55bbd1091d47ac106d7e70 |
| SHA1 | a0a18e5ad953d4394451e1ef58fd4e6957169084 |
| SHA256 | f33b4c2c37a38bce3d28311463ea3bb5d9655391cc3359be13ec83bd538a4023 |
| SHA512 | c8c627aee442f9653bc266788d0f66cf3c9df122faed60d0c911dbdb170584be87e8bb1845544c0d269b05f140915dfe5a54809232234cf8405b03e999c2aa0b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 14bf3dadc7715960818342191277588e |
| SHA1 | d6149fe51392eedc2f52d20ff58290ca4d0537bd |
| SHA256 | 133e3efad18e123cb5de66e7988057280e028a62bdfd3b814b39fc4eee5bd3b7 |
| SHA512 | 2dac2340d48a081972316e5c6f1843d7d150d725253cbf8905811ee628792dd5c2469d97aecc411df0c927d09e3479f5892a66924488f4c25fd8fdc62716191c |
C:\Galax48\optixloc.exe
| MD5 | 05177f4b4c1e473827ba1ba6ec9e3f89 |
| SHA1 | d1b30c1144349697383ae012676fed0e367c278c |
| SHA256 | 6efc6cc16c0548cff13c43576524e691f99504226b50ad8620b6c325210290d4 |
| SHA512 | 0475eec2dae0ae565c0d10dc034cd3d70ada75821675b6b97eaa3acae9f32c4a3a2f940b13dc45291dceedaf2132f8d08d2c4ec17905101613418ce4e6b5f4a6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 20:30
Reported
2024-11-09 20:32
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
139s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\SysDrvTN\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvTN\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZW7\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvTN\xdobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe
"C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\SysDrvTN\xdobloc.exe
C:\SysDrvTN\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | c1fef6edc73a3103a3883d7e02a78ab6 |
| SHA1 | 7afd289a4cfef1c66bafab50c684002767cf4f6d |
| SHA256 | 3c26edc6b8336656b9fee07845585ca88cb29efd8a4693b138731957d8cca1e6 |
| SHA512 | 0233dba2cfb6377008c1f7532900c01fcf0900e068eb13dd1dba35e8d252a926ebad4f2c65b1ecd06471f0cc618ae38002d7842cd4252f12144b052efad1ddcb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 55f62cf3de962006e476202e364b72da |
| SHA1 | a05534aadbccd9335b06cfe577cd36deefd4952e |
| SHA256 | 9099c54dae9f03767c4198ead281a8889c95387f6570bde6a170c3312571a31b |
| SHA512 | 6779091cf1993eb7ac2fd3520c15528a426dfc4488a83f07738b115572ddaa224df6ac73650acc2b669b8fa911c94525b41ec02e332394e2ad72b31c0fe4bccb |
C:\SysDrvTN\xdobloc.exe
| MD5 | f3d5287ec8792bac099aac22ac08d1db |
| SHA1 | ea746e06ed26a0177c811ee7ff97b97e9730afba |
| SHA256 | 52adb8b87905073cc6cd29f095b19ead230f8527976d4eb7c9751442a953c6ff |
| SHA512 | 043f0fd5025e71fa7a1f7bd38b3ecbc6dbd7ff2b960abe801212c562ef2ce6103aaf33b1aa236a74c38ff11fad7d47dfd1d972d8cdfee854282c9315fa43ad44 |
C:\SysDrvTN\xdobloc.exe
| MD5 | 782b332ae238d36d5bb08c01e5b8733c |
| SHA1 | 7eb97d397446d0d5fa4c9eeeddef2213e110f831 |
| SHA256 | cfe8e64c1099128bdd6e2299d5bcdaf0158b238fd63d1bcd2bfaa0a6a9d4d253 |
| SHA512 | 17179933608478ade6737cc272dd59530f4c44881adeefd48dae7b9cc3abb09090cac368e190e24a576f72c06cdf7f888243ef6c6ba81a683be96baa96fd01ca |
C:\LabZW7\dobaec.exe
| MD5 | eb0854f1c4599efbeaae41929be8ab2f |
| SHA1 | 1e536113d97980522ebba0fd8b464b85dfbf57d7 |
| SHA256 | f9396c26c643eb1c9aa792a5a328848358f2e2f86db37464c2472ec9c10a7f56 |
| SHA512 | fea419f0d4f2e1cda3db0ffa8d8de2256c2356c96e3d0977c8d253eb1c4035d68de8012ffe7f7e799b8773e284e9cf95f7013397bbf200f98f9e15b6020c37b8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0397f9679454460eb8be34c82e6474a5 |
| SHA1 | a8b7be9cb1ee3c6119040f4dfe8077dd3d134f54 |
| SHA256 | 7040e03ccb59e6bffa4e17e9fb0c6f8e8eaf8d4e56a3ca142257e91297c416bd |
| SHA512 | d475c0e007b4a32decc6e12b31bd785db37e8e34288ad2507cf7c0c4482ad28a3fb5a4cdc85eaee51745b3c6428b27ff6c31648daba76aff65411cc4ff8f320f |
C:\LabZW7\dobaec.exe
| MD5 | 38542fa3467ce24e7157648d0f5318f1 |
| SHA1 | 76d5e7462d48089828af1f57785dbb52297f6680 |
| SHA256 | bac4442e8f1776f41f8ed0d21995a1f810633ef8dd18cc6d7c08b3c1a2b208ca |
| SHA512 | 121ccc105a5a14455ecf5231be025f16ea5801ef773e239c52640a922b76b4c0ee7dc9b14d0fa5edd733db24f70cc491eab1193acaa10f460b9360082424d546 |